feat(translator): implement TCP security policy support#6496
feat(translator): implement TCP security policy support#6496davem-git wants to merge 129 commits intoenvoyproxy:mainfrom
Conversation
|
This now works. I added. a security policy to the tcp example and you can verify getting rejected from that policy |
davem-git
force-pushed
the
tcp-security-policy-features
branch
from
87ca72a to
5a4378c
Compare
davem-git
force-pushed
the
tcp-security-policy-features
branch
4 times, most recently
from
e6dbbc0 to
94ffdf1
Compare
davem-git
force-pushed
the
tcp-security-policy-features
branch
from
899bbdb to
7f8c58f
Compare
|
didn't rebase cleanly trying that again |
davem-git
force-pushed
the
tcp-security-policy-features
branch
from
925009c to
42ffe56
Compare
davem-git
force-pushed
the
tcp-security-policy-features
branch
from
ec62e0e to
afa5c43
Compare
zhaohuabing
left a comment
zhaohuabing
left a comment
There was a problem hiding this comment.
Can we add an e2e test to verify this works?
|
@zhaohuabing Running these e2e tests seems to fail on static-file-server, it doesn't have an image in docker. is there away to run them to just run my new tests? |
davem-git
force-pushed
the
tcp-security-policy-features
branch
2 times, most recently
from
52ff275 to
86bd7b4
Compare
|
@arkodg any advice Running these e2e tests seems to fail on static-file-server, it doesn't have an image in docker. is there away to run them to just run my new tests? |
|
@davem-git recommend trying out these commands locally,
|
|
also suggest rebasing to main, which make it easier to run e2e tests |
|
add some release note and updated documentation |
…y-policy-features
…ateway into tcp-security-policy-features
Signed-off-by: davem-git <[email protected]>
Signed-off-by: davem-git <[email protected]>
|
I was able merge in the changes from main. please review it. I also noticed that these test that are failing, seem to fail on other branches https://github.com/envoyproxy/gateway/pull/6851/commits but were merged in anyways. |
|
@arkodg any update on this? |
|
hey @davem-git the complexity this PR introduces is still very high, are there ways we can make the logic more readable ? for e.g. can we pass individual routes in gateway/internal/gatewayapi/translator.go Line 146 in 8fdebee |
|
Will do, any other comments? I've had this open a while with little feedback. The policies apply and work as expected, without input from your end this PR has dragged out for months. |
|
hey @davem-git lets collab together to get this into v1.6, if youre on the Envoy Slack lets start a convo there (my handle is on slack is |
Signed-off-by: davem-git <[email protected]>
Signed-off-by: davem-git <[email protected]>
| // +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'TCPRoute'] : true", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true ", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute" | ||
| // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'TCPRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute" |
There was a problem hiding this comment.
As mentioned in https://github.com/envoyproxy/gateway/pull/6496/files#r2415900704, can we add a comment saying that only client-IP authorization will be applied to TCPRoute?
There was a problem hiding this comment.
We also need to update the comment of the ClientCIDRs field on how to get client IP from TCP requests.
| return nil | ||
| } | ||
|
|
||
| func buildTCPRBACMatcherFromRules(rules []*ir.AuthorizationRule, defaultAction egv1a1.AuthorizationAction) *rbacconfig.RBAC { |
There was a problem hiding this comment.
Nit: can we move all the authorization-related methods to a standalone file tcp_authorization.go?
| if len(rule.Principal.Headers) > 0 { | ||
| return fmt.Errorf("rule %d: headers not supported for TCP", i) | ||
| } | ||
| if rule.Action == egv1a1.AuthorizationActionAllow && len(rule.Principal.ClientCIDRs) == 0 { |
There was a problem hiding this comment.
What happens when rule.Action == egv1a1.AuthorizationActionDeny && len(rule.Principal.ClientCIDRs) == 0 ?
There was a problem hiding this comment.
I think it defaults to deny, and blocks everything Do we want it to do that? I know we wanted to allow placeholders for security policy, I would think that would be fine if they just didn't add the authorization to the security policy
There was a problem hiding this comment.
i guess it doesn't matter. When i try this
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: tcp-app-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: TCPRoute
name: tcp-app-2
authorization:
defaultAction: Allowor
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: tcp-app-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: TCPRoute
name: tcp-app-2
authorization:
defaultAction: DenyBoth are accepted and do nothing
HTTP/1.1 200 OK
Content-Type: application/json
X-Content-Type-Options: nosniff
Date: Thu, 09 Oct 2025 20:02:19 GMT
Content-Length: 189
{
"path": "/",
"host": "backend",
"method": "GET",
"proto": "HTTP/1.1",
"headers": {},
"namespace": "default",
"ingress": "",
"service": "bar",
"pod": "backend-2-958dbb978-ffncm"
}%When it try this
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: tcp-app-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: TCPRoute
name: tcp-app-2
authorization:
defaultAction: Deny
rules:
- action: Allow
principal:
clientCIDRs:or this
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: tcp-app-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: TCPRoute
name: tcp-app-2
authorization:
defaultAction: Allow
rules:
- action: Deny
principal:
clientCIDRs:I get this
The SecurityPolicy "tcp-app-2" is invalid: spec.authorization.rules[0].principal: Invalid value: "object": at least one of clientCIDRs, jwt, or headers must be specifiedso I don't think its ever hit, i'll remove it and test again
| if routeIsTCP { | ||
| if tl := xdsIR[irKey].GetTCPListener(irListenerName(listener)); tl != nil { | ||
| for _, r := range tl.Routes { | ||
| if r == nil || r.Security != nil { |
There was a problem hiding this comment.
nit: I don't think r would be nil
| if r == nil || r.Security != nil { | |
| if r.Security != nil { |
| // Nothing else to do for this listener in TCP mode | ||
| continue | ||
| } | ||
| } |
There was a problem hiding this comment.
Should we just return here?
Maybe we can use a switch to make the logic easier to read:
switch route.GetRouteType() {
case resource.KindTCPRoute:
for _, listener := range parentRefCtx.listeners {
if tl := xdsIR[irKey].GetTCPListener(irListenerName(listener)); tl != nil {
for _, r := range tl.Routes {
if r.Name != expectedTCPRouteName { // exact match only
continue
}
// if already set - there's a specific level policy, so skip.
if r.Security != nil {
continue
}
// Only authorization for TCP
r.Security = &ir.SecurityFeatures{Authorization: authorization}
}
// Nothing else to do for this listener in TCP mode
continue
}
}
case resource.KindHTTPRoute, resource.KindGRPCRoute:
// The original HTTP/GRPC route logic
}There was a problem hiding this comment.
I think i got this. Can you please review it again? #7168
| var tcpSecurityFeatures *ir.SecurityFeatures | ||
| if authorization != nil { | ||
| tcpSecurityFeatures = &ir.SecurityFeatures{Authorization: authorization} | ||
| } |
There was a problem hiding this comment.
Nit: move this code block right before line 915.
There was a problem hiding this comment.
moved, please see other pr, trying to keep them in sync to help with the review
…y-policy-features
… PR's Signed-off-by: davem-git <[email protected]>
…ateway into tcp-security-policy-features
…cy.go Signed-off-by: davem-git <[email protected]>
…y-policy-features
…y-policy-features
feat(SecurityPolicies): add new featureAdding Security Policies for TCPGateways
adding security policies to TCPGateways using the existing API's
What this PR does / why we need it:
This PR will allow us to run authorization security policies only on TCPGateways
Which issue(s) this PR fixes:
Fixes # #4908
Release Notes: Yes/No